LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Generating and Using SSH Keys, Part 3

In previous tutorials in this series, we went over generating SSH keys and how to use them.  We’ll wrap up the series by showing you how to turn off password authentication on your server.

Why Configure for SSH Key Authentication Only

As mentioned in Part 1, SSH key authentication requires both “something you know” (the passphrase) and “something you have” (the SSH private key file).  Some attacker on the other side of the world might guess or brute force your password, or if you’re sloppy you might reuse it on some breached web site.  But none of that matters if the bad guy doesn’t have your SSH private key file.

This doesn’t mean you shouldn’t still use strong passphrases with your SSH private key file.  If for some reason, your client system (such as your home PC or laptop) was compromised, then security rests with this passphrase, so follow normal best practices for strong passphrases.

Disabling Password Authentication

First, test that SSH key authentication works (see Part 2) so you don’t lock yourself out.

Using your favorite editor (such as vi or nano), edit the /etc/ssh/sshd_config file.  The location is the same on both Debian- and CentOS-based systems.

    sudo vi /etc/ssh/sshd_config

Change these lines as follows:

    PubkeyAuthentication yes
    PasswordAuthentication no

Then restart sshd:

    systemctl restart sshd  

Now try to login.  Here I will use an account that was setup and has not had an ssh key configured:

    $ ssh testuser@myserver
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 

Wrapping Up

Here are the key takeaways from this series:

  • SSH key authentication is based on public key encryption.  The private key should be zealously protected.  On the other hand, the public key does not need to be kept secret.  The public key is what is installed on various servers you wish to connect to.
  • SSH key authentication is superior to passwords because it requires the user to have the SSH key file in his/her possession, not merely know a secret passphrase.
  • You should set a solid passphrase on your SSH private key file in case it is lost/stolen/compromised.
  • The ssh-copy-id utility allows you to very easily setup your SSH key on remote systems if you have a Linux or macOS client.  On Windows, you’ll need to proceed with manual steps.
  • Disabling password authentication on your servers completes the security setup.  Once done, the security of your server is significantly improved.

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *